Modern vehicles increasingly use electronic control units to control and regulate a wide variety of vehicle functions. In particular, the operation of vehicle engines is controlled by means of such control units. Electronic control units require an EDP program to execute their functions. Often, this EDP program must be modified retroactively because program faults are discovered or else predefined values for operating parameters of a device controlled by the control unit need to be updated, or because functions of the EDP program are expanded or restricted. For this purpose, the control unit has an interface, so that corresponding modifications of the EDP program are able to be input into the control unit and stored there in a program memory. However, the vehicle must visit a service facility for this purpose, where the new program data are imported into the control unit using a so-called service facility tester. Since the program is usually of a confidential nature and, in addition, any unauthorized manipulation of the control unit's method of operation must be prevented, e.g., for reasons of liability and/or operating safety of the vehicle, the transmission of the program data is implemented with the aid of encoding mechanisms or codes specified by the vehicle manufacturer. The manufacturer stores the confidential codes in the service facility tester, which uses them prior to the reprogramming of the control unit as its legitimization (i.e., security code) vis-à-vis the control unit. This protects the control unit from direct manipulation, so that it is impossible to obtain, via unauthorized access to the control unit, its identification algorithms for the legitimization and to derive the legitimization therefrom. In order to avoid a complicated and time-consuming visit to a service facility, it is expedient to have the ability of programming the control unit remotely without, however, jeopardizing the access security in the process.
Published German patent document DE 100 01 130 describes a system and a method for the remote programming of a control unit, which controls a vehicle and is able to be programmed remotely. An interface for receiving program data from a remote control station via a wireless long-distance connection is part of the system. Program data to be transmitted to the control unit of the vehicle are buffer-stored in a buffer store at the interface and then transmitted into a program memory of the control unit. The buffering of the program data is necessary due to the often unstable wireless long-distance connection in which malfunctions such as a faulty data transmission or interruptions in the connection are quite common. Only when the program data have been received in their entirety are they able to be input into the memory of the control unit since the operation of the vehicle is interrupted while the program data are input into the memory of the control unit. If the program data were directly input into the memory of the control unit, without buffering, the operation of the vehicle would be interrupted during the entire time required for the remote transmission of the program data from the control station into the buffer store, which sometimes may take a relatively long time due to interruptions in the remote transmission.
However, a problem arises here with respect to the legitimization that must be transmitted to the control unit in order for it to accept the program data transmitted thereto from the buffer store. The manufacturer does not wish this legitimization to be physically and permanently stored in the vehicle itself, since the manufacturer thus loses control over the confidentiality or the dissemination of the legitimization.